3 Answers
3

You don't prevent MAC spoofing, since it's entirely client-side. This is the reason that no one that really cares about security is using MAC whitelisting or blacklisting.

If you care about controlling what devices connect to your network, you should be using 802.1x with device certificates issued by your own internal CA that you control, or with some form on NAC like Cisco ISE or Microsoft NAP.

Indeed. security by futzing with MAC addresses is at best a minor inconvenience to anyone with even slight competence, and these days only a slight speedbump to newbie hackers who have heard of Google before.
–
RobMOct 22 '13 at 14:57

You cannot prevent MAC spoofing. The problem you're trying to solve is authentication. And the MAC address is simply not the right way to provide authentication since it can be spoofed very easily. There are even legit reasons to spoof a MAC address.

If you want to restrict which computers can connect, you have to use better methods than relying on the MAC address, preferably methods that levereage some sort of encryption.